Upload of the Trivy report to GHAS does not create security vulnerabilities on Pull Requests

[helgardwagener]

Description

We have setup Trivy scanning for a docker image to detect vulnerabilities, the Trivy scan completes successfully, and the report uploads to GHAS successfully, but no security vulnerabilities are logged when the scan was on a pull request.

Desired Behavior

After scanning the docker image with Trivy on a pull request into the main branch - see any vulnerabilities that has been picked up by GHAS after the Trivy sarif report has been uploaded before we complete the pull request.

Actual Behavior

After scanning the docker image with Trivy on a pull request, the Trivy sarif report is uploaded to GHAS but doesn't show any vulnerabilities. We then complete the pull request and merge the changes into the main branch which triggers another run of the Trivy scan, this time upon uploading the Trivy sarif report to GHAS we see vulnerabilities logged in GHAS.

We would ideally like to see vulnerabilities BEFORE we have to merge to the main branch.

Reproduction Steps

Please see the workflow yml to reproduce:

name: Quality and Security Checks
on:
  push:
    branches:
    - main
    - release/**
  pull_request:
  schedule:
    - cron: '18 4 * * 5'

jobs:
  trivy-analysis:
    name: Analyze container scanning with Trivy
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      security-events: write
      actions: read

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3

    - name: Build Docker image
      id: build
      uses: ./.github/actions/api-docker-build
      with:
        base-image-name: ${{ env.CONTAINER_BASE_NAME }}        
        registry-name: ${{ env.CONTAINER_REGISTRY_NAME }}
        image-name: ${{ env.CONTAINER_IMAGE_NAME }}
        container-port: ${{ env.CONTAINER_PORT }}
        image-tag: ${{ github.run_id }}
    
    - name: Run Trivy vulnerability scanner
      id: trivy
      continue-on-error: true
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: ${{ steps.build.outputs.image-name }}
        scan-type: image
        format: sarif
        output: trivy-report.sarif
        exit-code: 1 # Fail if any error
        ignore-unfixed: true
        vuln-type: os,library
        severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
        timeout: 15m
        scanners: vuln

    - name: Upload Trivy result to GHAS
      if: (success() || failure()) && (github.event_name == 'pull_request' || github.event_name == 'push')
      uses: github/codeql-action/upload-sarif@v2
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        sarif_file: trivy-report.sarif
        category: trivy

Target

Container Image

Scanner

Vulnerability

Output Format

SARIF

Mode

Standalone

Debug Output

Can't show debug

Operating System

Ubuntu latest

Version

uses: aquasecurity/trivy-action@master

Checklist

• Run trivy image --reset
• Read the troubleshooting

[simar7]

Have you tried to check under the filter of branch for code scanning? AFAIK GitHub code scanning only shows you the main branch in the default view.

https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page

[helgardwagener]

Hi, apologies for the late response.

I have checked branches and specific pull requests that I know should have open scanning issues, when I complete the PRs and merge to main then only do the trivy issues get created and then see them on the main branch.

Could you perhaps show me what a working workflow looks like?

Also both Trivy and CodeQL are showing as correctly configured under the tool status option.

[simar7]

Could you use an event like this to trigger the action on a specific branch?

[helgardwagener]

Hi Simar, I've tried specifying specific branches (main and release branches as standard and then tested on specific named branches) but the same behaviour continues.

• Create the pull request
• All scanning events run and complete with no errors reported - no GHAS security issues are raised by Trivy
• Merge PR into the main branch - as standard we run the security checks again
• Trivy picks up vulnerabilities and dependencies and the sarif report uploaded to GHAS creates security issues

[simar7]

Is it a public repo? If so can you share with us? It only seems to be available on them https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security

[helgardwagener]

Hi Simar, its not a public repo, the Trivy scans are definitely supported on private repos as per Trivy themselves and the trivy scans work as expected on the main branch but not the pull request branches created against main.

I'll do more experiments and see what happens if I manually run trivy instead of using the GH actions modules for trivy